Story image

'Flashlight' Trojan targets Australian banking apps, takes pictures of victims

24 Apr 2017

Android users are being warned about a fake flashlight app on Google Play that is targeting Australian banking apps.

The fake app, called ‘Flashlight LED Widget’, has been downloaded by 5000 users. According to ESET researchers, the app is also able to adjust its functionality to targeted an unlimited number of apps on the victim’s device.

So far it has been detected targeting banking apps from Commbank, NAB and Westpac in order to steal banking credentials. It has also targeted Facebook, WhatsApp, Instagram and Google Play.

The app, discovered to be Trojan.Android/Charger.B, was uploaded to Google Play on March 30. On April 10, it was pulled from the store on ESET’s notice.

According to researchers, the Trojan is a variant of a malware originally used to deliver ransomware - the switch to bank phishing is apparently ‘rare’ in the Android malware world.

The Trojan does actually act as a flashlight, but it also has embedded command & control (C&C) functionalities that can send fake screens that mimic real apps, lock infected devices, intercept SMS and display fake notifications that can bypass two-factor authentication. 

It can also use HTML code that is based on apps installed on the device to display fake screen overlays once they are launched, ESET says.

The Trojan works by asking for device administrator rights as soon as it is launched. After permissions are granted, the app hides its icon and displays only as a widget. 

It then registers the infected device on the attacker’s server and provides information about the phone. It even goes one step further and attaches a picture of the device owner, which has been taken by the front camera.

According to ESET, if the server detects that the infected device is in Belarus, Russia or Ukraine, the Trojan stops all its activity. Researchers suspect this gives an indication of where the attackers are located, as they may be wanting to avoid prosecution in their home countries.

ESET researchers have also noted that the Trojan uses Firebase Cloud Messages to communicate with C&C - the very first time a malware has used this as a communication channel.

ESET recommends that all users who have downloaded a flashlight app check to see if it is legitimate.  This particular malicious app can be found in Setting > Application Manager/Apps > Flashlight Widget.

Uninstalling the widget is much more difficult, as the Trojan attempts to stop users from turning off the active device administrator. 

“When trying to deactivate the rights, the pop-up screen doesn’t go away until you change your mind and click 'activate' again,” researchers report.

ESET recommends that users boot their devices in Safe mode, which will help uninstall the Trojan. 

In addition, ESET recommends that users choose only official app stores. When downloading apps, check app popularity, ratings and what people are saying in reviews. 

Be wary of what permissions apps ask for. If a flashlight app asks for device administrator rights, consider uninstalling the app immediately. Finally, use up-to-date mobile security solutions.

WhatsApp users warned to change voicemail PINs
Attackers are allegedly gaining access to users’ WhatsApp accounts by using the default voicemail PIN to access voice authentication codes.
Swiss Post asks public to hack its e-voting system
Switzerland’s postal service Swiss Post is inviting keen-eyed security experts and white hats to hack its e-voting system.
Spoofs, forgeries, and impersonations plague inboxes
It pays to double check any email that lands in your inbox, because phishing attacks are so advanced that they can now literally originate from a genuine sender’s account – but those emails are far from genuine.
Flashpoint signs on emt Distribution as APAC partner
"Key use cases that we see greatly benefiting the region are bolstering cybersecurity, combating insider threats, confronting fraud, and addressing supply chain risk, to name a few."
The attack surface: 2019's biggest security threat
As businesses expand, so does their attack surface – and that may be the biggest cybersecurity risk of them all, according to Aon’s 2019 Cyber Security Risk Report.
Opinion: Cybersecurity as a service answer to urgent change
Alan Calder believes a CSaaS model can enable a company to build a cyber resilience strategy in a coherent and consistent manner.
Why SD-WAN is key for expanding businesses - SonicWall
One cost every organisation cannot compromise on is reliable and quick internet connection.
New threat rears its head in new malware report
Check Point’s researchers view Speakup as a significant threat, as it can be used to download and spread any malware.